Lazarus Group’s New Malware is Harder To Detect, Cyber Security Firm Warns Crypto Firms

CRYPTO Hack
Last updated:
Author
Author
David Pokima
About Author

David is a finance journalist and a contributor to Cryptonews.com with a keen interest in breaking comprehensive, accurate, and reliable blockchain news.

Last updated:
Why Trust Cryptonews
For over a decade, Cryptonews has covered the cryptocurrency industry, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Ad DisclosureWe believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.
Source: Adobe / beebright

Cyber security experts at ESET have warned firms of the threat posed by the Lazarus Group’s new malware “LightlessCan” saying it is more difficult to detect than previous versions.

According to the firm, the malware is mostly deployed in employment scams luring users to install a malicious payload disguised as a job task or document related to the company.

In its recent blog post on Sept 29, the firm highlighted how the new malware works, its damage to the network systems, different execution chains leading to cyber espionage, etc. 

The Lazarus Group has been linked to several crypto hacks running into millions of dollars most notably the incident which saw over $40 million wiped from sports betting platform, Stake.com. 

The group was also linked to the Bitthumb, Nicehash incidents which recorded millions stolen alongside hacks on traditional companies like AstraZeneca, Sony, WannaCry, etc.

Here’s how it worked

The cyber security experts explained that the hackers deliver payloads to the victim’s network by utilizing a remote access Trojan, a far more sophisticated advancement than previous versions. 

LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions. This strategic shift enhances stealthiness, making detecting and analyzing the attacker’s activities more challenging.”

LightlessCan also uses guardrails which serve as protective mechanisms for the payload during its execution, “effectively preventing unauthorized decryption on unintended machines, such as those of security researchers,” they added.

Per the report, after initial access was gained through a social media hiring process, it used multiple encryptions,  AES-128 and RC6 with a 256-bit key from its previous campaigns like the Amazon incident. 

The RATs deployment in the final stages work with droppers and loaders that are embedded with payload into the systems

The most interesting payload used in this campaign is LightlessCan, a successor of the group’s flagship HTTP(S) Lazarus RAT named BlindingCan. LightlessCan is a new complex RAT that has support for up to 68 distinct commands, indexed in a custom function table, but in the current version, 1.0, only 43 of those commands are implemented with some functionality.”

Finally, the security team called for renewed awareness of related scams to drastically reduce their occurrence to achieve digital safety.

Spain’s aerospace company as a case study

The firm uncovered a hack by the Lazarus Group on a Spanish aerospace company leveraging the new LightlessCan model. 

The bad actors gained access to the company’s networks last year after a series of targeted campaigns acting as a recruiter for the company. 

They contacted the victim through Linkedin and sent two coding tasks as part of the hiring strategy. The first task was a basic display of “Hello, World!” while the second involved printing of a Fibonacci sequence.

More Articles

Altcoin News
Coffeezilla Debunks Misleading Headlines About Influencer Hailey Welch and HAWK Memecoin
Ruholamin Haqshanas
Ruholamin Haqshanas
2024-12-07 11:41:02
Altcoin News
Crypto Wallets Swell to 400 Million with Rising Bull Market: Chainalysis
Ruholamin Haqshanas
Ruholamin Haqshanas
2024-12-07 11:25:32
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors